Social engineering has its roots in social psychology and by definition is the effort to influence the attitudes, relationships and/or actions of an individual or a society, in short, to change or direct behaviour towards a goal.
In 1895 Gustave Le Bon published the book “Psychology of the Masses“ and in it he explains how leaders can take advantage of the psychology of the masses to manipulate and achieve their objectives.
As technology advances and the use of computers and the Internet becomes more common, hackers and other cybercriminals use social engineering techniques to trick people into obtaining sensitive information or accessing computer systems.
Criminals use social engineering to exploit trust, innocence, fear and other human emotions to achieve their goals.
Kevin Mitnick is one of the most famous people to use social engineering with new technologies. Even before the 1990s, Mitnick was using manipulation techniques by posing as an employee of companies to obtain confidential information.
Social engineering today
One of the goals for cybercriminals when using social engineering is to achieve financial gain, and there are multiple variants of cyber scams using social engineering. However, I will focus on social engineering in the enterprise and social engineering in individual victims.
The CEO fraud
Europol recently dismantled a Franco-Israeli organisation that allegedly defrauded more than €38 million through “CEO fraud”.
This type of fraud involves deceiving employees who are authorised to issue payments by impersonating senior company managers or suppliers who urgently need to change the current account for the next payment.
The fraudsters usually know the organisation well, either because they have studied it, are disgruntled ex-employees, or because they are insiders.
At first glance, the email they use looks very similar to the legitimate one, or they directly impersonate it. In addition, their emails often refer to an important situation in the company and use phrases such as “confidential” or “urgent”.
Romance scams are also another type of scam that yields significant financial gain. According to data from the Federal Trade Commission, romance scams on adults over the age of 60 accounted for 139 million dollars in 2020.
This type of scam mainly consists of either through dating apps or on social networks such as Facebook or Instagram. The scammer sends a request to the potential victim from a fake profile pretending to be a highly qualified professional, doctor, pilot, etc.
After talking via social networks, they usually want to talk via instant messaging, WhatsApp or Telegram. In this way they try to gain the trust of the victims to create an emotional connection.
After the emotional connection they create a sad story, such as that a loved one has passed away or the serious illness may have a family member. In this way they generate empathy in the potential victim. Once the trust relationship is established, they ask for money, under the pretext of meeting, for example, the costs of supposed medical treatment.
How can we protect ourselves?
Europol EC3 together with several other organisations give recommendations on how to prevent and protect against the frauds we have discussed.
We have advice for CEO fraud, both as a company and as an employee:
As a company:
- Be aware of the risks and ensure that employees are informed and aware too.
- Encourage your staff to approach payment requests with caution.
- Implement internal protocols concerning payments.
- Implement a procedure to verify the legitimacy of payment requests received by email.
- Establish reporting routines for managing fraud.
- Review information posted on your company website, restrict information and show caution with regard to social media.
- Upgrade and update technical security.
🛑 Report actual or attempted fraud to Police.
As an employee:
- Strictly apply the security procedures in place for payments and procurement. Do not skip any steps and do not give in to pressure.
- Always carefully check email addresses when dealing with sensitive information/money transfers.
- In case of doubt on a transfer order, consult a competent colleague.
- Never open suspicious links or attachments received by email. Be particularly careful when checking your private email on the company’s computers.
- Restrict information and show caution with regard to social media.
- Avoid sharing information on the company’s hierarchy, security or procedures.
🛑 If you receive a suspicious email or call, always inform your IT department.
Regarding the romance scam, the Europol EC3 tells us the following in order to protect ourselves:
- Be very careful about how much personal information you share on social network and dating sites.
- Always consider the risks. Scammers are present on the most reputable sites.
- Go slow and ask questions.
- Research the person’s photo and profile to see if the material has been used elsewhere.
- Be alert to spelling and grammar mistakes, inconsistencies in their stories and excuses such as their camera not working.
- Don’t share any compromising material that could be used to blackmail you.
- If you agree to meet in person, tell family and friends where you are going.
- Beware of money requests. Never send money or give credit card details, online account details, or copies of personal documents.
- Avoid sending them upfront payments.
- Don’t transfer money for someone else: money laundering is a criminal offence.
No one is safe from being a victim of a cyber scam, so you should not leave all cybersecurity in the hands of technology, as protection starts with you.
Featured photo: Kyle Glenn / Unsplash